Friday, June 04, 2004
Cockroaches in the kitchen: problems with network appliances
How many computers do you own?
You own more than you think. If you have a cheap hardware firewall box or a wireless access point, those are complete computers on the inside. They probably have more power than NASA had for the moon landings.
If you're a paranoid security consultant, every computer you see makes you think "gee, could this have any security problems?". When the news broke that the Linksys® WRT54G Wi-Fi access point would let anyone on the Internet log in, change settings, and maybe even see your WEP key I thought "and so it begins".
Linksys, a responsible and reputable vendor, released a fix. That's good, but it's like seeing a cockroach in your kitchen and stomping on it. There's one less cockroach but you have the sick feeling there must be more.
There are more cockroaches. The latest bug showed up in the WG602 wireless access point from NETGEAR®. Even if you change the administrator's password (as you should), there's a secret backdoor that lets anyone log in. The password is the phone number of the Taiwanese manufacturer. There's no fix yet.
I expect more problems like these, maybe even some with firewall products. Secure computer programming is hard, even harder than writing bug-free programs. Unless manufacturers tell their programmers "take your time, do it right" (like that's going to happen), we'll get more nasty surprises.
What's a consumer to do? Keep using your hardware firewall box. It protects you against many bad things even if it has hidden security bugs. Search the manufacturer's web site for phrases like "firmware upgrade" or "firmware download", and follow their instructions to make sure your box has the latest fixes.
Consider paying a local geek to turn a cheap old computer into a firewall by installing some well-debugged free "open source" software. "Open source" means that the inner workings are available for inspection and back doors are much less likely. A 486 that you can't even give away has enough horsepower to run a firewall for a DSL line. You get better security and more features than one of the firewall appliances can provide.
|
You own more than you think. If you have a cheap hardware firewall box or a wireless access point, those are complete computers on the inside. They probably have more power than NASA had for the moon landings.
If you're a paranoid security consultant, every computer you see makes you think "gee, could this have any security problems?". When the news broke that the Linksys® WRT54G Wi-Fi access point would let anyone on the Internet log in, change settings, and maybe even see your WEP key I thought "and so it begins".
Linksys, a responsible and reputable vendor, released a fix. That's good, but it's like seeing a cockroach in your kitchen and stomping on it. There's one less cockroach but you have the sick feeling there must be more.
There are more cockroaches. The latest bug showed up in the WG602 wireless access point from NETGEAR®. Even if you change the administrator's password (as you should), there's a secret backdoor that lets anyone log in. The password is the phone number of the Taiwanese manufacturer. There's no fix yet.
I expect more problems like these, maybe even some with firewall products. Secure computer programming is hard, even harder than writing bug-free programs. Unless manufacturers tell their programmers "take your time, do it right" (like that's going to happen), we'll get more nasty surprises.
What's a consumer to do? Keep using your hardware firewall box. It protects you against many bad things even if it has hidden security bugs. Search the manufacturer's web site for phrases like "firmware upgrade" or "firmware download", and follow their instructions to make sure your box has the latest fixes.
Consider paying a local geek to turn a cheap old computer into a firewall by installing some well-debugged free "open source" software. "Open source" means that the inner workings are available for inspection and back doors are much less likely. A 486 that you can't even give away has enough horsepower to run a firewall for a DSL line. You get better security and more features than one of the firewall appliances can provide.
# posted by Frederick @ 12:31 PM Email to a friend:
Haloscan: they provide trackback